Self-signed certificates and Elliptic Curve Cryptography
There are many reasons to self-sign SSL certificates, but we find them particularly useful for staging sites and in the early stages of a project. We have a three command guide to self-signing an SSL certificate if you aren’t interested in ECC.
If you also are interested in ECC, you may know that the main reason for using elliptic curves as the basis for communication over SSL is the small key size – where regular DSA would require 1024 bits, ECDSA (the elliptic-curve variant of DSA) would require about 160 bits. The computational power required for communication over ECDSA is also less.
This is only likely to matter in embedded systems or other highly-constrained environments.
If you also are considering specifically using an ECDSA certificate like the one generated here with OpenSSL, it is probably worth reading a more detailed description by Bruce Schneier. If you are sure you want an ECC-based certificate, doing so is just as easy as any other self-signed certificate with OpenSSL, provided that your version supports ECDSA. The commands below have been verified to work on CentOS 7/8.
$ rpm -qa | egrep openssl-1
$ openssl ecparam -genkey -name prime256v1 -out ecserver.key && cat ecserver.key
-----BEGIN EC PARAMETERS-----
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
-----END EC PRIVATE KEY-----
$ openssl req -new -sha256 -key ecserver.key -out ecserver.csr -subj /CN=localhost.localdomain && cat ecserver.csr
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
$ openssl req -x509 -sha256 -days 3650 -key ecserver.key -in ecserver.csr -out ecserver.crt && cat ecserver.crt
$ ls -1
The first command is the only one specific to elliptic curves. It generates a private key using a standard elliptic curve over a 256 bit prime field. You can list all available curves using:
openssl ecparam -list_curves
or you can use prime256v1.
The second command generates a Certificate Signing Request and the third generates a self-signed x509 certificate suitable for use on web servers.
If you’re interested in elliptic curve cryptography, Wikipedia has a good introduction that includes the math behind it, as well as more specific information on ECDSA in particular. As usual, there are good links from there to learn more.